Critical PAN-OS GlobalProtect Gateway RCE Vulnerability

Executive Summary

Palo Alto Networks has disclosed a critical remote code execution vulnerability in PAN-OS GlobalProtect gateway that allows unauthenticated attackers to execute arbitrary commands as root on affected firewalls. The vulnerability, tracked as CVE-2026-0778, has been assigned a CVSS score of 9.8 and is reportedly being exploited in limited targeted attacks.

Organizations running GlobalProtect gateway should patch immediately or apply the recommended workarounds.

Vulnerability Overview

Root Cause

The vulnerability exists in the GlobalProtect gateway's HTTP request handling for the portal and gateway login interfaces. A specially crafted HTTP request can exploit a command injection flaw in the session management component, allowing execution of arbitrary operating system commands without authentication.

Attack Chain

1. Attacker identifies internet-facing GlobalProtect gateway
2. Sends crafted HTTP POST to /ssl-vpn/hipreport.esp
3. Malicious payload injected into session validation parameter
4. PAN-OS processes payload without sanitization
5. Arbitrary command execution as root on PAN-OS
6. Attacker establishes persistent backdoor on firewall

Technical Details

Affected Versions

PAN-OS Version	Affected	Fixed Version
11.1.x	< 11.1.4-h3	11.1.4-h3
11.0.x	< 11.0.6-h2	11.0.6-h2
10.2.x	< 10.2.12-h1	10.2.12-h1
10.1.x	Not affected	N/A
Cloud NGFW	Not affected	N/A
Prisma Access	Not affected	N/A

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

Exploitation Requirements

GlobalProtect gateway or portal must be enabled
No authentication required
No user interaction required
Standard HTTPS connectivity to the management/gateway interface

Indicators of Compromise

Network Indicators

Anomalous POST requests to /ssl-vpn/hipreport.esp with oversized parameters
Unexpected outbound connections from PAN-OS management plane
DNS queries to unusual domains from the firewall
Large data transfers from the firewall to external IPs

Host Indicators

Check PAN-OS system logs for:

# CLI commands to check for compromise
show system log pan-task
show log system subtype eq management
show running resource-monitor

# Look for unauthorized configuration changes
show config diff running candidate
debug software restart process management-server

Suspicious File Paths

/opt/pancfg/mgmt/saved-configs/*.xml — Check for unauthorized config backups
/var/log/pan/*.log — Review for command injection artifacts
/tmp/ — Look for unexpected scripts or binaries

Immediate Remediation

Option 1: Patch (Recommended)

Upgrade to the fixed PAN-OS version for your branch:

# From PAN-OS CLI
request system software download version 11.1.4-h3
request system software install version 11.1.4-h3

Option 2: Workaround (If Patching Is Delayed)

Disable GlobalProtect portal/gateway if not actively needed
Restrict access to GlobalProtect interfaces via Panorama/device ACLs:

# Restrict GlobalProtect to known IP ranges
set network profiles zone-protection-profile gp-protect
set network interface ethernet1/1 zone-protection-profile gp-restrict

Enable Threat Prevention signature (Threat ID 95187) if available
Monitor logs for exploitation attempts

Option 3: Emergency Mitigation

Place a web application firewall or reverse proxy in front of GlobalProtect to filter malicious requests to /ssl-vpn/hipreport.esp.

Detection Rules

Snort/Suricata Rule

alert http any any -> any any (
  msg:"CVE-2026-0778 PAN-OS GlobalProtect RCE Attempt";
  flow:to_server,established;
  content:"POST"; http_method;
  content:"/ssl-vpn/hipreport.esp"; http_uri;
  pcre:"/(?:;|\||`|\$\()/";
  sid:2026077801;
  rev:1;
)

Palo Alto Cortex XDR

Cortex XDR customers should ensure they have the latest content update (CU-1045+) which includes behavioral detection for this exploitation technique.

Vendor Response

Palo Alto Networks released the advisory on February 7, 2026 with hotfix availability. The company has:

Activated Threat Prevention signature updates
Provided Cortex XDR detection content
Published detailed remediation guidance
Coordinated with CISA for KEV catalog inclusion

References

Executive Summary

Organizations running GlobalProtect gateway should patch immediately or apply the recommended workarounds.

Vulnerability Overview

Root Cause

Attack Chain

1. Attacker identifies internet-facing GlobalProtect gateway
2. Sends crafted HTTP POST to /ssl-vpn/hipreport.esp
3. Malicious payload injected into session validation parameter
4. PAN-OS processes payload without sanitization
5. Arbitrary command execution as root on PAN-OS
6. Attacker establishes persistent backdoor on firewall

Technical Details

Affected Versions

PAN-OS Version	Affected	Fixed Version
11.1.x	< 11.1.4-h3	11.1.4-h3
11.0.x	< 11.0.6-h2	11.0.6-h2
10.2.x	< 10.2.12-h1	10.2.12-h1
10.1.x	Not affected	N/A
Cloud NGFW	Not affected	N/A
Prisma Access	Not affected	N/A

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

Exploitation Requirements

GlobalProtect gateway or portal must be enabled
No authentication required
No user interaction required
Standard HTTPS connectivity to the management/gateway interface

Indicators of Compromise

Network Indicators

Anomalous POST requests to /ssl-vpn/hipreport.esp with oversized parameters
Unexpected outbound connections from PAN-OS management plane
DNS queries to unusual domains from the firewall
Large data transfers from the firewall to external IPs

Host Indicators

Check PAN-OS system logs for:

# CLI commands to check for compromise
show system log pan-task
show log system subtype eq management
show running resource-monitor

# Look for unauthorized configuration changes
show config diff running candidate
debug software restart process management-server

Suspicious File Paths

/opt/pancfg/mgmt/saved-configs/*.xml — Check for unauthorized config backups
/var/log/pan/*.log — Review for command injection artifacts
/tmp/ — Look for unexpected scripts or binaries

Immediate Remediation

Option 1: Patch (Recommended)

Upgrade to the fixed PAN-OS version for your branch:

# From PAN-OS CLI
request system software download version 11.1.4-h3
request system software install version 11.1.4-h3

Option 2: Workaround (If Patching Is Delayed)

Disable GlobalProtect portal/gateway if not actively needed
Restrict access to GlobalProtect interfaces via Panorama/device ACLs:

# Restrict GlobalProtect to known IP ranges
set network profiles zone-protection-profile gp-protect
set network interface ethernet1/1 zone-protection-profile gp-restrict

Enable Threat Prevention signature (Threat ID 95187) if available
Monitor logs for exploitation attempts

Option 3: Emergency Mitigation

Place a web application firewall or reverse proxy in front of GlobalProtect to filter malicious requests to /ssl-vpn/hipreport.esp.

Detection Rules

Snort/Suricata Rule

alert http any any -> any any (
  msg:"CVE-2026-0778 PAN-OS GlobalProtect RCE Attempt";
  flow:to_server,established;
  content:"POST"; http_method;
  content:"/ssl-vpn/hipreport.esp"; http_uri;
  pcre:"/(?:;|\||`|\$\()/";
  sid:2026077801;
  rev:1;
)

Palo Alto Cortex XDR

Cortex XDR customers should ensure they have the latest content update (CU-1045+) which includes behavioral detection for this exploitation technique.

Vendor Response

Palo Alto Networks released the advisory on February 7, 2026 with hotfix availability. The company has:

Activated Threat Prevention signature updates
Provided Cortex XDR detection content
Published detailed remediation guidance
Coordinated with CISA for KEV catalog inclusion

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Affected Versions

CVSS v3.1 Vector

Exploitation Requirements

Indicators of Compromise

Network Indicators

Host Indicators

Suspicious File Paths

Immediate Remediation

Option 1: Patch (Recommended)

Option 2: Workaround (If Patching Is Delayed)

Option 3: Emergency Mitigation

Detection Rules

Snort/Suricata Rule

Palo Alto Cortex XDR

Vendor Response

References

Related Reading

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Affected Versions

CVSS v3.1 Vector

Exploitation Requirements

Indicators of Compromise

Network Indicators

Host Indicators

Suspicious File Paths

Immediate Remediation

Option 1: Patch (Recommended)

Option 2: Workaround (If Patching Is Delayed)

Option 3: Emergency Mitigation

Detection Rules

Snort/Suricata Rule

Palo Alto Cortex XDR

Vendor Response

References

Related Reading